Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about how to configure wireguard virtual private network with NetworkManager. The article is rich in content and analyzes and describes it from a professional point of view. I hope you can get something after reading this article.

Virtual private network (VPC) is widely used. Today, a variety of solutions are available, through which users can access any type of resources while maintaining their confidentiality and privacy.

Recently, wireguard has become one of the most widely used virtual private network protocols because of its simplicity, speed and security. Wireguard was first used in the Linux kernel, but it can now be used on other platforms, such as iOS, Android, and so on.

Wireguard uses UDP as its transport protocol and establishes communication between peer nodes on the basis of Critokey Routing (CKR). Each peer node (whether server or client) has a pair of key key (public key and private key), and a communication connection is established between the public key and the licensed IP. For more information about wireguard, visit its wireguard.com/ "_ fcksavedurl=" https://www.wireguard.com/" class= "ext" rel= "external nofollow" target= "_ blank" > home page.

This mainly describes how to set up wireguard between two peer nodes (PeerA and PeerB). Both nodes are running the Fedora Linux system, using NetworkManager for persistence configuration.

Install the required software packages.

Generate

Key pair key pair

.

Configure the wireguard interface.

Installation

Install the wireguard-tools package on both peer nodes (PeerA and PeerB):

$sudo-I # dnf-y install wireguard-tools

This package can be found in the Fedora Linux update library. It creates a configuration directory in / etc/wireguard/. Here you will create a key and interface profile.

Generate key pair

Now, use the wg tool to generate public and private keys on each node:

# cd / etc/wireguard# wg genkey | tee privatekey | wg pubkey > publickey

Configure the desired IP address and mask on the PeerA node.

The UDP port that the node listens to.

The private key of the PeerA.

# cat / etc/wireguard/ wg0.confi [interface] Address = 172.16.1.254/24SaveConfig = trueListenPort = 60001PrivateKey = mAoO2RxlqRvCZZoHhUDiW3+zAazcZoELrYbgl+TpPEc= [Peer] PublicKey = IOePXA9igeRqzCSzw4dhpl4+6l/NiQvkDSAnj5LtShw=AllowedIPs = 172.16.1.2/32EOF

Allow UDP traffic to pass through the port on which the node is listening:

# firewall-cmd-add-port=60001/udp-permanent-zone=public# firewall-cmd-reloadsuccess

Finally, import the interface configuration file into NetworkManager. In this way, the wireguard interface will persist after restarting.

# nmcli con import type wireguard file / etc/wireguard/wg0.confConnection 'wg0' (21d939af-9e55-4df2-bacf-a13a4a488377) successfully added.

Verify the status of the wg0:

# wginterface: wg0 public key: FEPcisOjLaZsJbYSxb0CI5pvbXwIB3BCjMUPxuaLrH8= private key: (hidden) listening port: 60001 peer: IOePXA9igeRqzCSzw4dhpl4+6l/NiQvkDSAnj5LtShw= allowed ips: 172.16.1.2 32 # nmcli-p device show wg0 = Device details (wg0) = GENERAL.DEVICE: wg0-- -- GENERAL.TYPE: wireguard -GENERAL.HWADDR: (unknown)-GENERAL.MTU: 1420----GENERAL.STATE: 100 (connected)- -GENERAL.CONNECTION: wg0-- -GENERAL.CON-PATH: / org/freedesktop/NetworkManager/ActiveC >- -- IP4.ADDRESS [1]: 172.16.1.254/24IP4.GATEWAY:-- IP4.ROUTE [1]: dst = 172.16.1.0 + 24 Nh = 0.0.0.0 Mt = >-IP6.GATEWAY:-

The above output shows that interface wg0 is connected. It can now communicate with the peer node of the virtual private network with the IP address 172.16.1.2.

Set the IP address and mask on the PeerB node.

The private key of the PeerB.

The public key of the PeerA.

The IP address or hostname of the PeerA, the UDP port that listens for wireguard traffic.

# cat / etc/wireguard/ wg0.confi [interface] Address = 172.16.1.2SaveConfig = truePrivateKey = UBiF85o7937fBK84c2qLFQwEr6eDhLSJsb5SAq1lF3c= [Peer] PublicKey = FEPcisOjLaZsJbYSxb0CI5pvbXwIB3BCjMUPxuaLrH8=AllowedIPs = 172.16.1.254/32Endpoint = peera.example.com:60001EOF

The final step is to import the interface configuration file into NetworkManager. As mentioned above, this step is the key to maintaining the persistence of the wireguard interface after a restart.

# nmcli con import type wireguard file / etc/wireguard/wg0.confConnection 'wg0' (39bdaba7-8d91-4334-bc8f-85fa978777d8) successfully added.

Verify the status of the wg0:

# wginterface: wg0 public key: IOePXA9igeRqzCSzw4dhpl4+6l/NiQvkDSAnj5LtShw= private key: (hidden) listening port: 47749 peer: FEPcisOjLaZsJbYSxb0CI5pvbXwIB3BCjMUPxuaLrH8= endpoint: 192.168.124.230 Device details 60001 allowed ips: 172.16.1.254 p device show wg0 32 # nmcli-p device show wg0 = Device details (wg0) = GENERAL.DEVICE: wg0-- -GENERAL.TYPE: wireguard -GENERAL.HWADDR: (unknown)- -GENERAL.MTU: 1420----GENERAL.STATE: 100 (connected)-GENERAL.CONNECTION: wg0- -GENERAL.CON-PATH: / org/freedesktop/NetworkManager/ActiveC >- -IP4.ADDRESS [1]: 172.16.1.2/32IP4.GATEWAY:- -IP6.GATEWAY:- -

The above output shows that interface wg0 is connected. It can now communicate with the peer node of the virtual private network with the IP address 172.16.1.254.

Verify communication between nodes

After completing the above steps, the two peer nodes can communicate with each other through a virtual VPC connection. The following is the ICMP test result:

[root@peerb] # ping 172.16.1.254-c 4PING 172.16.1.254 (172.16.1.254) 56 (84) bytes of data.64 bytes from 172.16.1.254: icmp_seq=1 ttl=64 time=0.566 ms64 bytes from 172.16.1.254: icmp_seq=2 ttl=64 time=1.33 ms64 bytes from 172.16.1.254: icmp_seq=3 ttl=64 time=1.67 ms64 bytes from 172.16.1.254: icmp_seq=4 ttl=64 time=1.47 ms

In this case, if you capture UDP traffic on PeerA port 60001, you will see the communication process and encrypted data that depend on the wireguard protocol:

Capture UDP traffic between nodes that depend on wireguard protocol

Virtual private networks are common. Among the various protocols and tools used to deploy virtual private networks, wireguard is a simple, lightweight, and secure choice. It can establish a secure point-to-point connection between peer nodes based on CryptoKey routing, and the process is very simple. In addition, NetworkManager supports the wireguard interface, which allows persistent configuration after reboot.

The above is what Xiaobian shared with you on how to configure wireguard virtual private network with NetworkManager. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.